CYREN 2013년 인터넷 위협 보고서_영문


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CYREN 2013년 인터넷 위협 보고서_영문

  2. 2. CYREN YEARBOOK 02 Foreword FOREWORD and taken down – forcing the cyber gangs to devise new techniques for spreading malware to build replacement networks, for example by distributing malware via malicious links instead of attachments. They have to do this because the economics of spam are so poor that the spammers only get a ROI if they can illegally co-opt millions of computers – with their associated bandwidth – into their networks. We also saw a big shift in the emphasis for malware distribution toward smartphones and tablets, both for their prevalence in the market – they outsell desktop computers by 10x‘s – and for their comparatively poor protection. Smartphones in particular have proven a lucrative new outlet for the gangs, as they offer other ways to generate a return beyond ‘classic’ spam distribution. In response to more effective protection for desktops, we have seen a rise in ‘ransomware’ – where a computer is locked down by malware 2013 was a very challenging year for IT security, with several high-profile breaches – and against that backdrop, it would be easy to think that the bad guys are winning. In 2013, the CYREN GlobalView™ Cloud analyzed more than 4 trillion security transactions, giving us a unique insight into the security landscape “below the headlines.” In that data we see many encouraging trends. Cyber crime is big business and, in common with other commercial enterprises, the cyber gangs expect a big return on their investment (ROI). So the fact that in 2013 cyber criminals altered or even dropped many of their long- standing techniques is a sign that we have been successful in destroying the ROI for those techniques. In that context, let’s take a look at spam. While 72 percent of all email traffic is still unwanted advertising, overall spam levels dropped. This is because botnets were traced SECURITY REVIEW 2013 AND WHAT TO EXPECT IN 2014
  3. 3. CYREN YEARBOOK 03Contents TABLE OF CONTENTS ANDROID MALWARE.................................... 04 OVERALL MALWARE.................................... 05 WEB SECURITY.....................................06/07 PHISHING .............................................08/09 INTERNET SECURITY...........................10/11 EMAIL-ATTACHED MALWARE ..................... 12 SPAM............................................................. 13 ZOMBIE WORLD MAP ..........................14/15 SPAM COUNTRIES OF ORIGIN .................... 16 SPAM TOPICS ............................................... 17 PREDICTIONS............................................... 18 ABOUT CYREN.............................................. 19 PUBLISHER CYREN, 7925 Jones Branch Drive, Suite 5200 McLean, VA 22102, Tel: +1 703 760 3320, and the owner is threatened with the destruction of their data unless they pay to unlock it – with the gangs also incorporating a human component into their distribution model. At the CYREN GlobalView™ Security Lab, we are committed to innovating in equal and opposing force to the cyber gangs. In 2013 we incorporated our proven antispam, antimalware, IP reputation, mobile security, and URL filtering technologies into a powerful new security-as-a-service platform. The first application of this is a global Web security service that protects users from Web-borne threats – wherever they are and on whatever device they use. In 2014, we are expanding our existing Advanced Persistent Threat (APT) capabilities to shine a light further than ever into the murky world of the botnet, potentially exposing the networks all the way back to their owners. It is almost certain that 2014 will present its own challenges but, we will continue to destroy the ROI for cyber criminal activities. While we may lose some battles along the way, we will be winning the war. Lior Kohavi, Chief Technology Officer at CYREN
  4. 4. CYREN YEARBOOK Android malware 04 JAN13 FEB13 MAR13 APR13 MAY13 JUN13 JUL13 AUG13 SEP13 OCT13 NOV13 DEC13 350,000 300,000 250,000 400,000 150,000 200,000 100,000 0 ! NEW ANDROID AND MALWARE MALWARE FOR ANDROID DEVICES High powered mobile devices such as smartphones and tablets have become increasingly common and the Android OS is now installed on hundreds of millions of devices. Cyber criminals have clearly taken notice of the huge number of devices, as evidenced by the steady growth of malware targeting these platforms. There are additional factors that add to the attraction of Android as a malware platform. The first is the always connected nature of most devices – either to WiFi or mobile networks. This allows cyber criminals to access compromised devices at will and abuse them in the same way as wired PCs. The second is the built-in payment mechanism – usually to app stores – that does not require user re-entry of credit card information. This can be easily abused for bogus background app-store purchases. Thirdly, malware can also generate revenue from premium SMS, MMS and calls. per day for last 6 months ANDROID MALWARE AVERAGE 5,768
  5. 5. CYREN YEARBOOK 05Overall malware RANSOMWARE TOP 5 DETECTIONS OVER THE LAST 6 MONTHS Ransomware is not a new concept, but 2013 saw a huge increase in its use – apparently as ROI from other sources fell. Typically, the unfortunate victim is presented with a locked screen and told to make a payment – either direct via credit card, or by calling a number and handing over payment details. The alternative to payment is destruction of all data on the affected hard drive. Most victims pay “unlocking fees” in the region of a few hundred dollars. Of course there is no guarantee that the criminals will not lock the computer again, so many users elect to reformat their machine and start over. AndroidOS/Plankton.A.gen!Eldorado AndroidOS/FakeDoc.H AndroidOS/SMSreg.N AndroidOS/AirPush.A.gen!Eldorado AndroidOS/SMSreg.C.gen!Eldorado 1 2 3 4 5 MALWARE SHARE SMS 73 Stealer 8 Adware 12 Other 7 % INFOSTEALER Backdoor AndroidOS/Plankton.A.gen Plankton is a service that runs in the background and communicates with a command and control server “search” the service waits for actions to execute from the server. It is able to get the user‘s browsing history, set bookmarks, homepage and shortcuts and install downloaded files to the user‘s device. It collects the phone‘s IMEI, IMSI, SDK version, IP address amongst other sensitive data and sends it to the server. SMS TROJAN RISK AndroidOS/SMSreg.N The SMSreg.N is NOT a Trojan, it is classified as a security risk. The user downloads an application that sends an SMS message from the user phone to a premium number for some service that the application provides – for example a daily horoscope. In most cases, the user never reads the user agreement, where it is stated that the user will be charged for this service by letting the application automatically send a SMS message once a week or a month. ADWARE AndroidOS/AirPush.A.gen This is a detection for the Airpush SDK that pushes ads to the notification bar on the android device, even though the game or the app it was installed with is not running.
  6. 6. CYREN YEARBOOK 06 Web security GROWTH OF MALWARE EMBEDDED IN WEBSITES The number of malware URLs tracked in the GlobalView™ Cloud Database increased by 131% during 2013. Any website can easily be compromised if not updated regularly – enabling malware developers to exploit security vulnerabilities in common content management systems. The most common Web category that CYREN saw hacked in 2013 was “Education” sites. Travel, sports and pornography sites are popular targets too (although the latter may intentionally hide malware), followed by websites offering free pages. INCREASE IN MALWARE URLS OVER THE YEAR TRAVEL EDUCATION URL Filter over the year MALWARE URL INCREASE 131%
  7. 7. CYREN YEARBOOK 07Web Security WEB EXPLOIT KITS POPULAR TOPICS 2013 SYRIA EVENT September 2013 – Fake CNN and BBC news link to malware websites. ROYAL BABY July 2013 – The world awaiting first pictures of the new Royal baby in Great Britain – and malware authors created fake status updates and offered “live hospital cam.” POPE ELECTION March 2013 – Papal election: Fake results and fake child abuse rumors. Finds weaknesses and infects computer During 2013 CYREN saw an increase in Exploit Kits being used to deliver platform specific malware. In this model, users visit an infected website and their computer is scanned by an ‘invisible’ script that chooses the appropriate malware that can exploit known vulnerabilities associated with the browser, OS, PDF reader, etc. Das Öffnen von Programmen durch Webinhalte kann hilfreich sein, stellt aber eine potenzielle Bedrohung für den Computer dar. Lassen Sie diese Aktion nur zu, wenn Sie der Inhaltsquelle vertrauen. Welches Risiko besteht? Vor dem Offnen dieses Adresstyps immer bestätigen Von: Programm: Microsoft Help and Support Center Adresse: hcp://services/search? query=anything&topic=hcp://system/sysinfo/sysin Möchten Sie dieser Website das Offnen eines Programms auf dem Computer gestatten? Internet Explorer Zulassen Abbrechen ? ? if (b){ var g = [“Win”, 1, “Mac”, 2, “Linux”, 3, “FreeBSD”, 4, “iPhone”, 21.1, “iPod”, 21.2, “iPad”, 22.1, “Win.* Mobile”, 22.2, “Pockets*PC”, 22.3, 100]; for (h = g.length - 2; h >= 0; h 1. 2. 3. 4. 5. 6. Users are typically led to these threats by posts on social networking sites or email messages with embedded links. Current events are increasingly used as bait to attract users to websites contaminated with malware. Popular subjects in 2013 included the papal election and the royal baby, with the conflict in Syria being referenced when it had barely begun. To illustrate how fast these can move, our data shows that the average time between an actual news event and its exploitation by cyber criminals was around 22 hours. Invisible scripts
  8. 8. CYREN YEARBOOK 08 Phishing PHISHING INCREASE IN 2013 AND WEB CATEGORIES INFECTED BY PHISHING The number of phishing URLs tracked in the GlobalView Cloud Database increased by 264% during the course of 2013. Most common categories: Free Web pages, Education, Sports, Computers and Technology, small shopping and small business sites. increase over the year PHISHING URL’S 2013 264% TOP PHISHING TOPICS FREE WEB PAGES EDUCATION SPORTS COMPUTERS & TECHNOLOGY SMALL SHOPPING SITES SMALL BUSINESS SITES 1 2 3 4 5 6 FREE
  9. 9. CYREN YEARBOOK 09Phishing Every day new phishing sites targeting PayPal users ~750 PayPalusers PAYPAL IS THE NUMBER ONE TARGET OF PHISHING With almost 150 million registered account holders, it is not surprising that PayPal regularly places first as a subject used in phishing attacks. Every day we uncover around 750 new phishing websites that specifically target PayPal users; this equates to more than 270,000 sites annually. As new phishing sites are discovered they are categorized and logged as such in the CYREN GlobalView™ Cloud URL database.
  10. 10. CYREN YEARBOOK 10 11Internet security THE YEAR IN INTERNET SECURITY 2013 VISUAL REVIEW APRIL FOOLS`DAY VALENTINE’S DAY MOTHER’S DAY ROYAL BABY SPAM HALLOWEEN THANKSGIVING SYRIAN CRISIS SPAM MAXIMUM SEPT AU G JUL JUN M AY APR JAN FE B MAR OCT N O V DEC Viruses Spam Billion emails per day 2013 Spam average 78.297 2013 Email malware average Billion daily virus emails1.68 Phishing Increase in phishing URLs over the year264% 2013 Web malware Increase during 2013131% New Android malware per month Android malware 173,000 2013 Malware Million new unique malware per month6.08 REVIEW 2013 TRENDS 2014 MOBILE MALWARE Android still the main target LOCALIZATION More Localized spam WEB EXPLOITS Growing underground market
  11. 11. CYREN YEARBOOK Email-attached malware 12 MALWARE IS BEING TAILORED TO SPECIFIC COUNTRIES Malware is increasingly tailored for specific countries. While German email users receive fake train bookings from Deutsche Bahn or Lufthansa tickets, Americans will receive fake gift vouchers from U.S. companies, bills from their tax authorities, or even speeding fines from the police. per day 2013 VIRUS AVERAGE 1,85 BILLION in February 2013 VIRUS MAXIMUM 7,18 BILLION VIRUS/OUTBREAK % dangerous. virus- outbreak dangerous. virus dangerous.iframe 60.8 38.5 0.7 20 0% 40 60 80 100 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC VIRUS SHARE
  12. 12. CYREN YEARBOOKSpam 13 SPAM LEVELS Following the trend of the last two years, spam continued to decrease. Globally, spam now averages 72% of all email traffic. Although spam has decreased, the absolute numbers of messages sent every day is still significant – averaging 78 billion emails. By year-end the average had dropped to 57 billion emails per day. SPAM LEVELS CONTINUE TO DECREASE 20 0% 40 60 80 100 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Spam Trend spam legitimate emails 72 28 % of the year’s average 2013 SPAM MAXIMUM 301% daily spam emails 2013 SPAM AVERAGE 78,297BILLION SPAM SHARE
  13. 13. CYREN YEARBOOK CYREN YEARBOOKZombie world mapZombie world map 1514 ZOMBIE COUNTRIES TOP 10 COUNTRIES FOR HIJACKED COMPUTERS BY QUARTER IN 2013 INDIA RUSSIA BELARUS IRAN PERU ARGENTINA COLOMBIA KAZAKHSTAN VIETNAM CHINA QUARTER 1 INDIA CHINA VIETNAM PERU BELARUS TAIWAN RUSSIA COLOMBIA ARGENTINA IRAN QUARTER 2 INDIA VIETNAM CHINA TAIWAN BELARUS PERU UKRAINE ARGENTINA IRAN RUSSIA QUARTER 3 INDIA VIETNAM IRAN TAIWAN BELARUS PERU UKRAINE UNITED STATES CHINA RUSSIA QUARTER 4 India had the largest number of hijacked – or ‘Zombie’ – computers throughout 2013. These zombies were mainly used for spam and malware distribution. Outside of India, the other countries in the Top 10 were almost exactly the same throughout the year, with their place varying according to overall botnet activity. TOP TEN ZOMBIE COUNTRIES EACH QUARTER 5 1 2 3 RUSSIA CHINA 8 TAIWAN 9 ARGENTINA 10 COLOMBIA IRAN 4 VIETNAM 6 BELARUS INDIA 7 PERU
  14. 14. CYREN YEARBOOK 16 Spam countries of origin ONLY TEN COUNTRIES PRODUCE 50 % OF ALL SPAM Ten countries are responsible for approximately 50% of all detected spam, with the Republic of Belarus, USA and India far ahead at the top of the list. In 2013, a regional concentration of spammers emerged in Eastern Europe, replacing the Asian nations of Indonesia, Vietnam and India. An increasing trend toward spam and malware originating from Western European networks, for example Italy and Spain, is a cause for concern. UNITED STATES INDIA ITALY ARGENTINA COLOMBIA SPAIN BELARUS 8.6% 6.7% 5.3% 4.2% UKRAINE 3.9% 4.8% 5% PERU 3.1% RUSSIAN FEDERATION 3.1% 3.1%
  15. 15. CYREN YEARBOOK 17Spam topics THE RETURN OF DIET AND STOCK SPAM After a break of several years, there was resurgence in spam advertising for diet products and penny stocks. As spammers never abandon any technique that yields a profit, we expect this activity to increase in 2014. SCAM DATING 6.8% DIET 17.6% PHARMACY 13.8% REPLICA PHISHING JOB OFFER 7.4% STOCK 15.8% CASINO 7.7% DRIVE-BY
  16. 16. CYREN YEARBOOK 18 THE SECURITY OUTLOOK FOR 2014 VIRUSES, TROJANS AND SPAM BECOME SMARTER, FASTER AND MOBILE As the Internet becomes an everyday component of the life of more and more people, cyber criminals will take the opportunity to create even more targeted attacks. Predictions EVENT SPAM RELATING TO THE OLYMPIC GAMES, FOOTBALL AND POLITICAL EVENTS: Global – and increasingly local – events are used as lures for malware and spam campaigns. Cyber criminals still love recycling malware attachments and mailing structures routinely reused for different campaigns. PHISHING with a special focus on social networks, as access details become valuable in their own right. SHORT BUT ACUTE MALWARE OUTBREAKS: Spam and malware senders know they only have a short window of opportunity, so campaign durations will be shorter, but the activity level within that window will be more intense. MOBILE MALWARE: Most mobile devices are still under- protected and malware developers will focus on this lack of security. At the same time mobile surfing brings new risks, as users have limited visibility of URLs as compared to their PCs. GOLDEN OLDIES: Well-established spam techniques like ASCII spam or using pictures with disruptive pixels are returning for an encore. This is because these techniques can still bypass some traditional filters, maximizing delivery of the campaign.
  17. 17. CYREN YEARBOOK WEB Designed for rapid deployment by businesses of all sizes and powered by the GlobalView™ Cloud, CYREN Web technologies give you the flexibility to secure any device against Web-borne threats. Whether you deploy our Embedded URL Filtering or full-service Web security-as-a-service, your customers will enjoy industry-leading protection across all their devices, anywhere they are, however they want. About CYREN 19 CYREN SECURITY SERVICES ANTIMALWARE CYREN Embedded AntiVirus provides the best and broadest protection against new and zero-hour threats. Our partners enjoy industry-leading performance with ultra-low processing, memory, storage, and band- width consumption. CYREN Embedded Mobile Security delivers a comprehensive security Web and antivirus foundation for providers of mobile applications or services. EMAIL CYREN Email technologies provide industry-leading email protection service. Our antispam, antivirus, IP reputation, and outbound antispam solutions are simple to administer and scale to whatever size your business needs; protecting your customers’ inbox from threats across all devices. CYREN Email solutions are available in both Embedded and security-as-a-service models. MORE INFORMATION: MORE INFORMATION: AntiMalware MORE INFORMATION: Email ALWAYS AHEAD OF THE THREAT Power your business with CYREN real-time security intelligence and live data analytics. Visit us at the CYREN GlobalView™ Security Center:
  18. 18. 3 4 5 2 CONTACT INFORMATION 1 1 2 5 4 3 US Headquarters 7925 Jones Branch Drive, Suite 5200 McLean, VA 22102 Tel: +1 703 760 3320 Fax: +1 703 760 3321 USA 1731 Embarcadero Road,Suite 230 Palo Alto, CA 94303 Sales: +1 650 864 2114 General: +1 650 864 2000 Fax: +1 650 864 2002 Germany Hardenbergplatz 2 10623 Berlin Tel: +49 30 52 00 56 0 Fax: +49 30 52 00 56 299 Iceland Thverholti 18 IS-105, Reykjavik Tel: +354 540 7400 Fax: +354 540 7401 Israel 1 Sapir Rd. 5th Floor, Beit Ampa P.O. Box 4014 Herzliya, 46140 Tel: +972 98636 888 Fax: +972 98636 863 SOURCES All data analyzed for the 2013 CYREN Security Yearbook originates from the CYREN GlobalView™ Cloud Infrastructure. © 2014 CYREN Ltd. All rights reserved. CYREN, Recurrent Pattern Detection, RPD, and GlobalView are trademarks, and Eleven, Authentium, F-Prot, Command Antivirus, and Command Anti-malware are registered trademarks, of CYREN. U.S. Patent No. 6,330,590 is owned by CYREN. All other marks are the property of their respective owners. This yearbook contains forward-looking statements, including projections about our business, within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. For example, statements in the future tense, and statements including words such as „expect,“ „plan,“ „estimate,“ „anticipate,“ or „believe“ are forward-looking statements. These statements are based on information available to us at the time of the yearbook; we assume no obligation to update any of them. The statements in this yearbook are not guarantees of future performance and actual results could differ materially from our current expectations as a result of numerous factors, including business conditions and growth or deterioration in the internet security market, technological developments, products offered by competitors, availability of qualified staff, and technological difficulties and resource constraints encountered in developing new products, as well as those risks described in the company‘s Annual Reports on Form 20-F and reports on Form 6-K, which are available through